Spain’s AI sandbox offers early test for biometric AI compliance

Herta says its BioSurveillance system completed Spain’s AI regulatory sandbox process.
Spain’s AI sandbox tests how facial recognition systems may prepare for EU AI Act compliance.

Spain’s AI regulatory sandbox is becoming an early test of how high-risk AI systems may prepare for compliance with the EU AI Act, with facial recognition among the technologies examined.

Spanish company Herta said it has completed the sandbox process for its facial-recognition video-surveillance system, BioSurveillance. The company presented the pilot as a step towards AI Act-ready deployments in public settings.

Herta describes BioSurveillance as a real-time video-surveillance system capable of detecting multiple faces, enrolling individuals during operation, identifying previously registered people and managing alerts. Its BioSurveillance NEXT product is designed for simultaneous identification in crowded and changing environments.

Spain’s AI agency, AESIA, says practical guides developed through the national AI regulatory sandbox are intended to help companies that develop or deploy high-risk AI systems prepare for their obligations under the EU AI Act. The guides provide recommendations while harmonised EU standards are still being developed.

However, sandbox participation should not be treated as approval for public facial recognition deployments. Remote biometric identification in publicly accessible spaces remains one of the most sensitive areas under the EU AI Act. It is subject to strict limits, depending on the use case, operator and context.

The case highlights how companies developing biometric AI systems are seeking early compliance pathways, while regulators face pressure to balance innovation, public safety, privacy and fundamental rights.

Why does it matter?

Facial recognition is one of the most contested areas of AI regulation because it combines public-space surveillance, biometric data processing and risks to privacy and fundamental rights. Spain’s sandbox offers an early view of how high-risk AI providers may prepare documentation, testing and compliance processes under the EU AI Act. The case also shows why compliance language must be used carefully: participation in a sandbox may support readiness, but it does not remove the legal restrictions surrounding biometric identification in public spaces.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot